|Summary:||UserDatabase Realm leaks os file descriptors for conf/tomcat-users.xml|
|Product:||Tomcat 9||Reporter:||Vassili Alibabaev <angry.skull>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||Stacktrace of file open failure when os file descriptors are over (recorded with v9.0.29)|
Description Vassili Alibabaev 2020-06-01 07:47:38 UTC
Created attachment 37285 [details] Stacktrace of file open failure when os file descriptors are over (recorded with v9.0.29) There is a bug in org.apache.catalina.users.MemoryUserDatabase that leaves the os file descriptors in open state. This is caused by the code line: https://github.com/apache/tomcat/blob/9.0.35/java/org/apache/catalina/users/MemoryUserDatabase.java#L428 Exact code line is: this.lastModified = resource.getURI().toURL().openConnection().getLastModified(); The org.apache.tomcat.util.file.ConfigurationSource.Resource is handled properly by the try-with-resources block, but a call to the URI/URL inside this block does not close any opened resources. These resources just stay in memory and occupy limited os resources. There is a similar bug in the OpenJDK: https://bugs.openjdk.java.net/browse/JDK-6956385 This behavior was introduced in version 9.0.13 and after bugs: https://bz.apache.org/bugzilla/show_bug.cgi?id=62924 https://bz.apache.org/bugzilla/show_bug.cgi?id=62958 The leaked file handles are usually collected by the GC, but if server has enough memory and stays idle, then too many handles are acquired from the os and there is no more available. A stacktrace of such failure is in the attachment. The read time period is 10 seconds by default and one file handle is leaked withing every read of tomcat-users.xml file. MemoryUserDatabase#watchSource is also true by default and this behavior is enabled in the default conf. A list of open files can be obtained by cmd: lsof -K | grep $TOMCAT_PID | grep "tomcat-users.xml" | wc -l org.apache.tomcat.util.file.ConfigurationSource.Resource#getLastModified() may be voulnerable too. Please analyze all places where java.net.URL#openConnection() is used
Comment 1 Remy Maucherat 2020-06-01 13:35:17 UTC
I guess it can be improved, but this problem actually doesn't do anything for me, so I never care.
Comment 2 Remy Maucherat 2020-06-01 14:02:34 UTC
The fis will be in 10.0.0-M6 and 9.0.36.